Re: ssh keepalives
On 9 Jul 2003 at 20:24, Paulius Bulotas boldly uttered: Hi, a bit late answer, but I'm not able to keep up with my email traffic ;) Apply this patch to OpenSSH, if you are running FreeBSD: http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html and use Heartbeat option with something less then dynamic rules life ;) Regards, Paulius Aha, now this is a very interesting response! Considering that the author of the patch greatly discourages usage of the older OpenSSH code, and considering that my recently updated 4.8- STABLE box is still using OpenSSH 3.5p1 rather than the latest 3.6p1 mentioned in the patch, I'm a little disinclined to do this patch because I'll have to re-patch it every time I build/install world. If there's any possibility this patch will make it into the mainstream distribution I'll just wait for that. Will wait and see, but thanks very much for the tip! On 03 07 01, Philip J. Koenig wrote: I'm having a problem with premature termination of ssh sessions after an idle period of a few minutes, getting a connection reset by peer message. I presume this is due to intermediate stateful firewalls closing the connection when no traffic passes for a period of time. In the past I've addressed this issue when I have control of the destination host, by including the following parameters in sshd_config: ClientAliveInterval 30 ClientAliveCountMax 4 However in this case I don't have control over the destination. It's a self-contained network device. man 5 ssh_conf says that KeepAlive is the default with ssh. Is there any other tactic I can use to keep these connections from closing after a few minutes of inactivity? Currently on FreeBSD 4.8-stable with OpenSSH_3.5p1 -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
Philip J. Koenig wrote: On 9 Jul 2003 at 20:24, Paulius Bulotas boldly uttered: a bit late answer, but I'm not able to keep up with my email traffic ;) Apply this patch to OpenSSH, if you are running FreeBSD: http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html [ ... ] Considering that the author of the patch greatly discourages usage of the older OpenSSH code, and considering that my recently updated 4.8- STABLE box is still using OpenSSH 3.5p1 rather than the latest 3.6p1 mentioned in the patch, I'm a little disinclined to do this patch because I'll have to re-patch it every time I build/install world. If there's any possibility this patch will make it into the mainstream distribution I'll just wait for that. Will wait and see, but thanks very much for the tip! Why not add the patch mentioned above to /usr/ports/security/openssh/files, and then build openssh-3.6p1 as a package? When you installworld, re-add this package afterwards... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On 9 Jul 2003 at 23:03, Paulius Bulotas boldly uttered: On 03 07 09, Philip J. Koenig wrote: Apply this patch to OpenSSH, if you are running FreeBSD: http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html Considering that the author of the patch greatly discourages usage of the older OpenSSH code, and considering that my recently updated 4.8- STABLE box is still using OpenSSH 3.5p1 rather than the latest 3.6p1 mentioned in the patch, I'm a little disinclined to do this patch because I'll have to re-patch it every time I build/install world. If there's any possibility this patch will make it into the mainstream distribution I'll just wait for that. Will wait and see, but thanks very much for the tip! I really don't know that ;) But it worked without a problem with 3.4 and 3.5 versions for me, the only thing could be - you will have to apply some peaces of code manually, because of any differences of OpenSSH in base FreeBSD vs stock OpenSSH portable. But still, IMO that's the only option with dynamic ipfw rules ;) Not sure what you're saying there - if I have a vanilla install of OpenSSH as provided in the base 4.8-STABLE system, am _not_ using ipfw, will I have to do additional work in addition to running the patch against the existing files? -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On Thu, 3 Jul 2003, Philip J. Koenig wrote: One of those firewalls is quite flexible about protocol state timeouts, I can set this on a service-by-service basis. (ie I could increase it for SSH and no other service) Unfortunately the firewall on the other side isn't so accommodating. It has a single timeout setting that affects all traffic that traverses the firewall, and I'd rather not increase that too high. If there is no option then run a low-bandwidth application in the background to keep the connection alive, or script something to generate some activity at frequent enough intervals to do so. Cheers, Viktor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On Tue, Jul 08, 2003 at 11:10:41AM -0700, Viktor Lazlo wrote: On Thu, 3 Jul 2003, Philip J. Koenig wrote: One of those firewalls is quite flexible about protocol state timeouts, I can set this on a service-by-service basis. (ie I could increase it for SSH and no other service) Unfortunately the firewall on the other side isn't so accommodating. It has a single timeout setting that affects all traffic that traverses the firewall, and I'd rather not increase that too high. If there is no option then run a low-bandwidth application in the background to keep the connection alive, or script something to generate some activity at frequent enough intervals to do so. I have noticed that with some firewalls at various places that I have worked that it is not sufficient to just have the remote end send data but you have to send data from your side. Needless to say it is a royal pain. Marc -- Marc Wiz [EMAIL PROTECTED] Yes, that really is my last name. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On 8 Jul 2003 at 11:10, Viktor Lazlo boldly uttered: On Thu, 3 Jul 2003, Philip J. Koenig wrote: One of those firewalls is quite flexible about protocol state timeouts, I can set this on a service-by-service basis. (ie I could increase it for SSH and no other service) Unfortunately the firewall on the other side isn't so accommodating. It has a single timeout setting that affects all traffic that traverses the firewall, and I'd rather not increase that too high. If there is no option then run a low-bandwidth application in the background to keep the connection alive, or script something to generate some activity at frequent enough intervals to do so. Well that goes without saying, but the idea was whether the protocol itself contained a keepalive function. It's still a pain to have to go through that just so a connection will not die after 5 mins. I would think this is a common enough issue to justify an enhancement request to the open-ssh people. -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
Date: Wed, 2 Jul 2003 15:04:51 +0200 From: Christian Stigen Larsen [EMAIL PROTECTED] Quoting Steve Coile ([EMAIL PROTECTED]): | On Tue, 1 Jul 2003, Philip J. Koenig wrote: | I'm having a problem with premature termination of ssh sessions [...] | | Is this a common problem with firewalls? We suffer from this problem | here, also, and I've thought it must be a misconfiguration with the | firewall or elsewhere in the netwrok. But since you mentioend it, | I'm rethinking my assessment. As Michal F. Hanula, it might be due to the firewall dropping idle TCP connections. I'm quite sure this is the case, and I know this is a characteristic of the stateful firewalls on both sides. (which I administer) One of those firewalls is quite flexible about protocol state timeouts, I can set this on a service-by-service basis. (ie I could increase it for SSH and no other service) Unfortunately the firewall on the other side isn't so accommodating. It has a single timeout setting that affects all traffic that traverses the firewall, and I'd rather not increase that too high. At work I use PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) for my outbound ssh sessions, and it supports a useful option: Sending of null packets to keep session active Settings this to, say, 60 seconds effectively prevents my sessions from being cut off. Unfortunately I haven't found any similar feature in the OpenSSH clients. Do they support such a feature? I've used that feature with PuTTY and it's handy. As far as I can tell there is no equivalent in OpenSSH. The KeepAlive feature appears to be used primarily to detect if a connection has died due to a broken link. (probably the thing that allows the client to report connection reset by peer right away without sitting there for a hour before figuring it out) -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On Tue, 1 Jul 2003, Philip J. Koenig wrote: I'm having a problem with premature termination of ssh sessions after an idle period of a few minutes, getting a connection reset by peer message. I presume this is due to intermediate stateful firewalls closing the connection when no traffic passes for a period of time. Is this a common problem with firewalls? We suffer from this problem here, also, and I've thought it must be a misconfiguration with the firewall or elsewhere in the netwrok. But since you mentioend it, I'm rethinking my assessment. Can someone explain why these connections get dropped? -- Steve Coile ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh keepalives
On Wed, Jul 02, 2003 at 07:17:19AM -0400, Steve Coile wrote: On Tue, 1 Jul 2003, Philip J. Koenig wrote: I'm having a problem with premature termination of ssh sessions after an idle period of a few minutes, getting a connection reset by peer message. I presume this is due to intermediate stateful firewalls closing the connection when no traffic passes for a period of time. Is this a common problem with firewalls? We suffer from this problem here, also, and I've thought it must be a misconfiguration with the firewall or elsewhere in the netwrok. But since you mentioend it, I'm rethinking my assessment. Can someone explain why these connections get dropped? The firewall is tracking the state of TCP connections (among others). The information about the state needs some memory, which means that the firewall cannot keep state of an infinite number of connections. After some time the state gets dropped. A reasonable firewall (such as ipfilter) takes the state of the connection (syn sent, ack sent, open, ...) into account when determining the timeout (eg. with ipfilter the timeout for a partially open connection is (by default) 480s, for an open connection it is 86400s (a week). When a connection is closed, the state is dropped immediately). Unreasonable firewalls don'tm which means that the time before the connection is dropped has to be quite short to prevent the state table from overflowing. Finding the reason for this happenning with NAT is left as an exercise for the reader ;-) mf -- What do you care what other people think? pgp0.pgp Description: PGP signature
Re: ssh keepalives
On Wed, Jul 02, 2003 at 02:52:32PM +0200, Michal F. Hanula wrote: On Wed, Jul 02, 2003 at 07:17:19AM -0400, Steve Coile wrote: On Tue, 1 Jul 2003, Philip J. Koenig wrote: I'm having a problem with premature termination of ssh sessions after an idle period of a few minutes, getting a connection reset by peer message. I presume this is due to intermediate stateful firewalls closing the connection when no traffic passes for a period of time. Is this a common problem with firewalls? We suffer from this problem here, also, and I've thought it must be a misconfiguration with the firewall or elsewhere in the netwrok. But since you mentioend it, I'm rethinking my assessment. Can someone explain why these connections get dropped? [...lots of nonsense...] If you have IPfilter, try sysctl -a | grep net.inet.ipf mf -- What do you care what other people think? pgp0.pgp Description: PGP signature
Re: ssh keepalives
Quoting Steve Coile ([EMAIL PROTECTED]): | On Tue, 1 Jul 2003, Philip J. Koenig wrote: | I'm having a problem with premature termination of ssh sessions [...] | | Is this a common problem with firewalls? We suffer from this problem | here, also, and I've thought it must be a misconfiguration with the | firewall or elsewhere in the netwrok. But since you mentioend it, | I'm rethinking my assessment. As Michal F. Hanula, it might be due to the firewall dropping idle TCP connections. At work I use PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) for my outbound ssh sessions, and it supports a useful option: Sending of null packets to keep session active Settings this to, say, 60 seconds effectively prevents my sessions from being cut off. Unfortunately I haven't found any similar feature in the OpenSSH clients. Do they support such a feature? -- Christian Stigen Larsen -- http://csl.sublevel3.org -- mob: +47 98 22 02 15 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ssh keepalives
I'm having a problem with premature termination of ssh sessions after an idle period of a few minutes, getting a connection reset by peer message. I presume this is due to intermediate stateful firewalls closing the connection when no traffic passes for a period of time. In the past I've addressed this issue when I have control of the destination host, by including the following parameters in sshd_config: ClientAliveInterval 30 ClientAliveCountMax 4 However in this case I don't have control over the destination. It's a self-contained network device. man 5 ssh_conf says that KeepAlive is the default with ssh. Is there any other tactic I can use to keep these connections from closing after a few minutes of inactivity? Currently on FreeBSD 4.8-stable with OpenSSH_3.5p1 -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]